CVE-2026-55810
Drupal · Plotly.js Graphing
A PHP object injection vulnerability exists in the Drupal Plotly.js Graphing module due to improper control of dynamically determined object attributes during deserialization.
Executive summary
An object injection vulnerability in the Drupal Plotly.js Graphing module, affecting versions prior to 3.0.2, poses a significant risk of unauthorized data modification and potential remote code execution.
Vulnerability
This vulnerability involves improper deserialization of PHP objects within the Plotly.js Graphing module. An attacker with authenticated access (specifically the ability to edit content entities containing a plotly_js_graph field) can inject malicious objects that are processed during deserialization.
Business impact
The CVSS score of 8.1 reflects a high-severity risk, primarily due to the potential for significant integrity and confidentiality compromise. Successful exploitation could allow an attacker to alter application logic or data structures, potentially leading to unauthorized system access or full compromise of the affected Drupal site. Because this requires specific permissions, the risk is most acute for organizations with multiple contributors or those utilizing the JSON:API module with permissive settings.
Remediation
Immediate Action: Update the Drupal Plotly.js Graphing module to version 3.0.2 or later immediately to resolve the deserialization flaw.
Proactive Monitoring: Review web server and Drupal access logs for anomalous requests targeting content editing endpoints or unexpected serialized data patterns.
Compensating Controls: Ensure that the JSON:API module is configured to restrict operations and verify that user permissions are strictly limited to the principle of least privilege, preventing unauthorized users from editing fields that utilize the vulnerable graphing component.
Exploitation status
Public Exploit Available: No (no confirmed public exploit identified).
Analyst recommendation
Given the high CVSS score and the nature of object injection vulnerabilities, organizations should prioritize patching this module immediately. The requirement for authentication does not eliminate the risk, particularly in environments with broad user access. Administrators must verify their current version and apply the 3.0.2 update to prevent potential compromise of their Drupal environment.